System and method for presenting multivariate information

ABSTRACT

Systems and methods for presenting fraud detection information are presented. In one example, a computer system analyzes empirical data to detect potentially fraudulent activity and alerts users of the potentially fraudulent activity via a fraud detection user interface. The fraud detection user interface determines a set of user interface components to suitable to present the potentially fraudulent activity and presents facts associated with the potentially fraudulent activity to a user for further analysis and investigation.

BACKGROUND

Field of Invention

Aspects of the present invention relate to systems and methods formanaging risk by detecting fraudulent activity and more particularly toapparatus and methods for presenting analytically-driven fraud detectioninformation to a user via a user interface.

Discussion of Related Art

Fraudulent activities belonging to various categories are a significantissue for a wide variety of business concerns. For instance, within theU.S. retail industry, shrink due to employee theft totals close to $16billion annually. While in the U.S. healthcare industry, waste and abuseamounts to between $125 and $175 billion annually. Similarly, the U.S.financial sector is plagued with frauds including check fraud, ATMfraud, debit fraud and credit fraud. For example, check fraud, which isa perennial problem in the financial sector, amounts to approximately $1billion in losses annually.

Defrauders utilize checks to perpetrate frauds in several ways. Forinstance, one category of fraud, referred to in the art as “On-Us”Fraud, involves presentment of fraudulent checks that are drawn onaccounts held by the bank. These checks may be forged, altered oroutright counterfeits. If honored, “On-Us” checks result in losses tothe bank.

Another category of deposit account fraud involves new account scams,account takeovers and other schemes that involve defrauding accounts andgaining access to the funds they contain. In these situations, checksare drawn on a bank other than the bank at which it is presented. Aswith “On-Us” checks, if these checks are honored, they result in lossesto the bank.

Still another category of fraud involving checks is referred to as checkkiting. Check kiting is a specialized case of Deposit Fraud thatinvolves presenting a check without sufficient funds to cover the amountof the check. After presenting a first check as a deposit to oneaccount, kiters quickly deposit another check from a second account tocover the first check, creating an opportunity to use float—the gapbetween when checks are presented and cleared—to their advantage. Kitingcan be accidental or intentional, small-scale or very large.

Software that is designed to aid in the detection of fraudulentactivities exists. Many of these conventional packages offer rudimentaryuser interfaces that display unadorned transactional information. Usersof these software packages are often forced to review large amounts ofthis transactional information in search of fraudulent activity. Evenso, many business concerns use fraud detection software to identify andstop fraudulent activities, thereby saving themselves and others fromsignificant financial losses.

SUMMARY OF INVENTION

Aspects and examples disclosed herein present fraud detection systemsand processes that direct investigation of potentially fraudulentactivities in a manner that is more effective and efficient thanconventional fraud detection systems and processes. For instance, someexamples disclosed herein manifest an appreciation that differentcategories of fraud involve different schemes and approaches and thateach requires analysis and review of different types of data. Many ofthese examples include a system interface, an analytics engine and auser interface. In these examples, the system interface receivesempirical data from a diverse set of sources and stores the data forfurther processing by the analytics engine. The analytics engineanalyzes the empirical data to characterize the likelihood thatactivities described in the data are fraudulent and generates alertsindicating potentially fraudulent activity. The user interface altersits structure and content based on the characteristics and investigatoryneeds of the potentially fraudulent activity being reported. As isexplained further below, the user interface embodies a high degree ofsubject matter expertise and provides relevant information often usingunconventional user interface components.

The fraud detection systems and processes disclosed herein target a widevariety of potentially fraudulent activity. A non-limiting list of thecategories of fraudulent activity that may be investigated using thesesystems and methods includes deposit account fraud, check fraud, ACHfraud, ATM fraud, debit card fraud, credit card fraud, check kiting,employee fraud, health care fraud, identify theft, mortgage fraud, moneylaundering, paperhanging, account takeovers, application fraud, bust-outfraud and identify theft. Other categories of fraudulent activities maybe addressed according to various examples. Thus, examples are notlimited to activities belonging to particular categories or possessingparticular attributes.

According to one aspect, a computer implemented method of providinginformation regarding an activity that is potentially fraudulent isprovided. The method includes acts of receiving a fraud alert from ananalytics engine, the fraud alert having at least one reason code andalert content, the alert content describing the activity, determining aset of user interface components associated with the at least one reasoncode and presenting the set of user interface components and the alertcontent to a user.

In the method, the act of presenting the set of user interfacecomponents may include an act of presenting a valid activity that sharesa common characteristic with the activity that is potentiallyfraudulent. In addition, the act of receiving the fraud alert mayinclude an act of receiving at least one reason code indicative of checkfraud and the act of presenting the set of user interface components mayinclude an act of presenting a link between representations of checkswith periodically re-occurring amounts. Further, the act of receivingthe fraud alert may include an act of receiving at least one reason codeindicative of check fraud and the act of presenting the set of userinterface components may include an act of presenting a representationof variances between a plurality of expected attributes and a pluralityof corresponding attributes of checks. Moreover, the act of receivingthe fraud alert may include an act of receiving at least one reason codeindicative of check fraud and the act of presenting the set of userinterface components may include an act of presenting a representationof a check book that characterizes a plurality of serial numbers forchecks associated with the check book. Additionally, the act ofpresenting the representation of the check book may include an act ofpresenting a representation of a range extending from the representationof the check book, the representation of the range indicating expectedserial numbers for checks associated with the check book. Furthermore,the act of receiving at least one reason code indicative of check fraudmay include an act of receiving at least one reason code indicative ofon-us fraud.

In the method, the act of presenting the set of user interfacecomponents may include an act of presenting a representation of pastfraud alerts within a timeline control. In addition, the act ofreceiving the fraud alert may include the act of receiving at least onereason code indicative of deposit fraud and the act of presenting theset of user interface components may include an act of presenting atimeline control spanning a duration specified in the alert content.Further, the act of receiving the fraud alert may include an act ofreceiving at least one reason code indicative of deposit fraud and theact of presenting the set of user interface components may include anact of presenting a concave hull representation of balances of at leastone account over a predetermined period of time. Moreover, the set ofuser interface components may include a plurality of charts and the actof presenting the set of user interface components may include acts ofselecting a preferred chart from the plurality of charts based on thereason code and the alert content and presenting the preferred chartprior to providing access to the other charts of the plurality ofcharts. Additionally, a combination of the reason code and the alertcontent may indicate that a serial number of a presented check isoutside a range of threshold numbers and the act of selecting thepreferred chart may include an act of selecting a multivariate chartthat illustrates a variance between the serial number and an expectedserial number for the check.

According to another aspect, a system for providing informationregarding an activity that is potentially fraudulent is provided. Thesystem includes a fraud alert interface configured to receive a fraudalert from an analytics engine, the fraud alert having at least onereason code and alert content, the alert content describing theactivity, an interface engine configured to determine a set of userinterface components associated with the at least one reason code and auser interface configured to present the set of user interfacecomponents and the alert content to a user.

In the system, the user interface may be further configured to present avalid activity that shares a common characteristic with the activitythat is potentially fraudulent. In addition, the fraud alert may includeat least one reason code indicative of check fraud and the userinterface may be configured to present a link between representations ofchecks with periodically re-occurring amounts. Further, the fraud alertmay include at least one reason code indicative of check fraud and theuser interface may be configured to present a representation ofvariances between a plurality of expected attributes and a plurality ofcorresponding attributes of checks. Moreover, the fraud alert mayinclude at least one reason code indicative of check fraud and the userinterface may be configured to present a representation of a check bookthat characterizes a plurality of serial numbers for checks associatedwith the check book. Additionally, the user interface may be configuredto present the representation of the check book by presenting arepresentation of a range extending from the representation of the checkbook, the representation of the range indicating expected serial numbersfor checks associated with the check book. Furthermore, the reason codeindicative of check fraud may be indicative of on-us fraud.

In the system, the user interface may be configured to present arepresentation of past fraud alerts within a timeline control. Further,the fraud alert may include at least one reason code indicative ofdeposit fraud and the user interface may be configured to present atimeline control spanning a duration specified in the alert content.Moreover, the fraud alert may include at least one reason codeindicative of deposit fraud and the user interface may be configured topresent a concave hull representation of balances of at least oneaccount over a predetermined time period.

According to another aspect, a non-transitory computer readable mediumis provided. The computer readable medium has instructions storedthereon that, when executed by at least one processor, instruct the atleast one processor to perform a method of providing informationregarding an activity that is potentially fraudulent. The methodincludes acts of receiving a fraud alert from an analytics engine, thefraud alert having at least one reason code and alert content, the alertcontent describing the activity, determining a set of user interfacecomponents associated with the at least one reason code and presentingthe set of user interface components and the alert content to a user. Inaddition, the instructions for receiving the fraud alert may instructthe at least one processor to perform acts including receiving at leastone reason code indicative of check fraud and the instructions forpresenting the set of user interface components instruct the at leastone processor to perform acts including presenting a representation ofvariances between a plurality of expected attributes and a plurality ofcorresponding attributes of checks associated with a check book.

According to another aspect, a system for providing informationregarding a suspect activity identified as potentially fraudulent isprovided. The system includes a memory storing data describing thesuspect activity, the suspect activity including a plurality ofattributes, each attribute of the plurality of attributes including anactual value and being associated with an expected value and aninterface coupled to the memory and configured to receive an indicationof the suspect activity and present a representation of differencesbetween the actual value of, and the expected value associated with,each attribute of the plurality of attributes of the suspect activity.

In the system, the representation of the differences may include aplurality of axes, each axis of the plurality of axes indicating a setof potential values for a difference between the actual value of, andthe expected value associated with, one of the plurality of attributes.In addition, the representation of differences may include at least onegeometric shape that represents a set of reference values. Further, theat least one geometric shape may include a circle. Moreover, the atleast one geometric shape may include a three dimensional shape.Additionally, the memory may further store data describing a pluralityof authentic activities including a plurality of authentic attributevalues, each of the plurality of authentic activities sharing at leastone common characteristic with the suspect activity, the plurality ofauthentic attribute values having a standard deviation, and the at leastone geometric shape may include a plurality of concentric circles, eachof the plurality of concentric circles having a center, a circumferenceand a radius with a distance indicating that a value represented by thecenter differs from a value represented by any point on thecircumference by a multiple of the standard deviation. Furthermore, theinterface may be further configured to present a representation of atleast one authentic activity that shares a common characteristic withthe suspect activity. Also, the data describing the suspect activity mayinclude information describing presentation of a check.

According to another aspect, a computer implemented method for providinginformation regarding a suspect activity identified as potentiallyfraudulent is provided. The method includes acts of storing datadescribing the suspect activity in a memory, the suspect activityincluding a plurality of attributes, each attribute of the plurality ofattributes including an actual value and being associated with anexpected value, receiving, via an interface, an indication of thesuspect activity and presenting, via the interface, a representation ofdifferences between the actual value of, and the expected valueassociated with, each attribute of the plurality of attributes of thesuspect activity.

In the method, the act of presenting, via the interface, therepresentation of the differences may include an act of presenting aplurality of axes, each axis of the plurality of axes indicating a setof potential values for a difference between the actual value of, andthe expected value associated with, one of the plurality of attributes.In addition, the act of presenting, via the interface, therepresentation of differences may include an act of presenting at leastone geometric shape that represents at least one set of referencevalues. Further, the act of presenting the at least one geometric shapemay include an act of presenting a circle. Moreover, the act ofpresenting the at least one geometric shape may include an act ofpresenting a three dimensional shape.

The method may further include an act of storing data describing aplurality of authentic activities including a plurality of authenticattribute values, each of the plurality of authentic activities sharingat least one common characteristic with the suspect activity, theplurality of authentic attribute values having a standard deviation. Inaddition, the act of presenting the at least one geometric shape mayinclude an act of presenting a plurality of concentric circles, each ofthe plurality of concentric circles having a center, a circumference anda radius with a distance indicating that a value represented by thecenter of the circle differs from a value represented by any point onthe circumference by a multiple of the standard deviation. Moreover, themethod may further include an act of presenting a representation of atleast one authentic activity that shares a common characteristic withthe suspect activity. Additionally, the act of storing the datadescribing the suspect activity may include an act of storinginformation describing presentation of a check.

According to another aspect, a non-transitory computer readable mediumis provided. The computer readable medium has instructions storedthereon that, when executed by at least one processor, instruct the atleast one processor to perform a method of providing informationregarding a suspect activity identified as potentially fraudulent. Themethod includes acts of storing data describing the suspect activity,the suspect activity including a plurality of attributes, each attributeof the plurality of attributes including an actual value and beingassociated with an expected value, receiving an indication of thesuspect activity and presenting a representation of differences betweenthe actual value of, and the expected value associated with, eachattribute of the plurality of attributes of the suspect activity.

The instructions may also instruct the at least one processor to presentthe representation of the differences by presenting a plurality of axes,each axis of the plurality of axes indicating a set of potential valuesfor a difference between the actual value of, and the expected valueassociated with, one of the plurality of attributes. In addition, theinstructions may instruct the at least one processor to present therepresentation of differences by presenting at least one geometric shapethat represents at least one set of reference values. Moreover, theinstructions may instruct the at least one processor to store datadescribing a plurality of authentic activities including a plurality ofauthentic attribute values, each of the plurality of authenticactivities sharing at least one common characteristic with the suspectactivity, the plurality of authentic attribute values having a standarddeviation. Further, the instructions may instruct the at least oneprocessor to present the at least one geometric shape by presenting aplurality of concentric circles, each of the plurality of concentriccircles having a center, a circumference and a radius with a distanceindicating that a value represented by the center of the circle differsfrom a value represented by any point on the circumference by a multipleof the standard deviation.

According to another aspect, a system for providing informationregarding a suspect activity identified as potentially fraudulent isprovided. The system includes a memory storing data describing aplurality of valid activities, each valid activity of the plurality ofvalid activities having a plurality of attributes, each attribute ofeach plurality of attributes having a value and an interface coupled tothe memory and configured to receive an indication of the suspectactivity, present a representation of the suspect activity, present aplurality of representations of valid activities that share at least onecommon characteristic with the suspect activity and present a linkbetween a first representation of the plurality of representations andsecond representation of the plurality of representations. The firstrepresentation represents a first valid activity including at least onefirst attribute having a quasi-periodically re-occurring value and thesecond representation represents a second valid activity including atleast one second attribute having the quasi-periodically re-occurringvalue.

In the system, the suspect activity may include presentation of a check.In addition, the link may include a line between the firstrepresentation and the second representation. Further, the firstrepresentation and the second representation each may have a shape thatis different from other representations of the plurality ofrepresentations and the representation of the suspect activity.Moreover, the first representation and the second representation may bede-emphasized relative to the other representations and therepresentation of the suspect activity. Additionally, the interface maybe further configured to present a plurality of axes, each axis of theplurality of axes indicating a set of potential values of an attributeof the suspect activity. Furthermore, the suspect activity may includepresentation of a check, the check having an amount and a date ofpresentation and the plurality of axes may include a first axis and asecond axis, the first axis indicating a set of potential values for thedate of presentation and the second axis indicating a set of potentialvalues for the amount.

According to another aspect, a computer implemented method for providinginformation regarding a suspect activity identified as potentiallyfraudulent is provided. The method includes acts of storing datadescribing a plurality of valid activities in a memory, each validactivity of the plurality of valid activities having a plurality ofattributes, each attribute of each plurality of attributes having avalue, receiving, via an interface, an indication of the suspectactivity, presenting, via the interface, a representation of the suspectactivity, presenting, via the interface, a plurality of representationsof valid activities that share at least one common characteristic withthe suspect activity and presenting, via the interface, a link between afirst representation of the plurality of representations and secondrepresentation of the plurality of representations. The firstrepresentation represents a first valid activity including at least onefirst attribute having a quasi-periodically re-occurring value and thesecond representation represents a second valid activity including atleast one second attribute having the quasi-periodically re-occurringvalue.

In the method, the act of receiving, via the interface, the indicationof the suspect activity may include an act of receiving an indication ofa presentation of a check. In addition, the act of presenting, via theinterface, the link may include an act of presenting a line between thefirst representation and the second representation. Further, the act ofpresenting, via the interface, a plurality of representations mayinclude an act of presenting the first representation and the secondrepresentation with a shape that is different from other representationsof the plurality of representations and the representation of thesuspect activity. Moreover, the act of presenting the firstrepresentation and the second representation may include an act ofpresenting the first representation and the second representation asde-emphasized relative to the other representations and therepresentation of the suspect activity. Additionally, the method mayfurther include an act of presenting a plurality of axes, each axis ofthe plurality of axes indicating a set of potential values of anattribute of the suspect activity. Furthermore, the act of receiving,via the interface, the indication of the suspect activity may include anact of receiving an indication of a presentation of a check, the checkhaving an amount and a date of presentation and the act of presentingthe plurality of axes may include an act of presenting a first axis anda second axis, the first axis indicating a set of potential values forthe date of presentation and the second axis indicating a set ofpotential values for the amount.

According to another aspect, a non-transitory computer readable mediumis provided. The computer readable medium has instructions storedthereon that, when executed by at least one processor, instruct the atleast one processor to perform a method of providing informationregarding a suspect activity identified as potentially fraudulent. Themethod includes acts of storing data describing a plurality of validactivities, each valid activity of the plurality of valid activitieshaving a plurality of attributes, each attribute of each plurality ofattributes having a value, receiving an indication of the suspectactivity, presenting a representation of the suspect activity,presenting a plurality of representations of valid activities that shareat least one common characteristic with the suspect activity andpresenting a link between a first representation of the plurality ofrepresentations and second representation of the plurality ofrepresentations. The first representation represents a first validactivity including at least one first attribute having aquasi-periodically re-occurring value and the second representationrepresents a second valid activity including at least one secondattribute having the quasi-periodically re-occurring value.

The instructions may also instruct the at least one processor to receivethe indication of the suspect activity by receiving an indication of apresentation of a check. In addition, the instructions may instruct theat least one processor to present the link by presenting a line betweenthe first representation and the second representation. Further, theinstructions may instruct the at least one processor to present aplurality of representations by presenting the first representation andthe second representation with a shape that is different from otherrepresentations of the plurality of representations and therepresentation of the suspect activity. Moreover, the instructions mayinstruct the at least one processor to present the first representationand the second representation by presenting the first representation andthe second representation as de-emphasized relative to the otherrepresentations and the representation of the suspect activity.Additionally, the instructions may further instruct the at least oneprocessor to perform acts including presenting a plurality of axes, eachaxis of the plurality of axes indicating a set of potential values of anattribute of the suspect activity.

According to another aspect, a system for providing informationregarding a suspect check that is potentially fraudulent is provided.The system includes a memory storing data describing a check bookassociated with plurality of checks, the plurality of checks includingthe suspect check and a plurality of authentic checks, each check of theplurality of checks including a plurality of attributes, each attributeof each plurality of attributes having an actual value and an interfacecoupled to the memory and configured to receive an indication of thesuspect check, present a representation of the suspect check, present arepresentation of the check book and present a representation of a zoneextending from the representation of the check book, the representationof the zone indicating a plurality of reference values for at least oneof the plurality of attributes of the suspect check.

In the system, the at least one of the plurality of attributes mayinclude a serial number. In addition, the interface may be furtherconfigured to present a representation of at least one authentic checkof the plurality of authentic checks. Further, the representation of thecheck book may include a first curve. Moreover, the representation ofthe zone may include a second curve indicating an upper bound of theplurality of reference values and a third curve indicating a lower boundof the plurality of reference values. Additionally, a subset of theactual values of the plurality of authentic checks has a standarddeviation and the second curve and the third curve are each disposed ata distance from the first curve, the distance indicating that valuesrepresented by points on either the second curve or the third curvediffer from values represented by points on the first curve by amultiple of the standard deviation. Furthermore, the interface may befurther configured to present a plurality of axes, each axis of theplurality of axes indicating a set of potential values of an attributeof the suspect check. Also, the representation of the zone may include athree dimensional shape that represents the plurality of referencevalues.

According to another aspect, a computer implemented method for providinginformation regarding a suspect check that is potentially fraudulent isprovided. The method includes acts of storing, in a memory, datadescribing a check book associated with plurality of checks, theplurality of checks including the suspect check and a plurality ofauthentic checks, each check of the plurality of checks including aplurality of attributes, each attribute of each plurality of attributeshaving an actual value, receiving, via an interface, an indication ofthe suspect check, presenting, via the interface, a representation ofthe suspect check, presenting, via the interface, a representation ofthe check book and presenting, via the interface, a representation of azone extending from the representation of the check book. Therepresentation of the zone may indicate a plurality of reference valuesfor at least one of the plurality of attributes of the checks of theplurality of checks associated with the check book.

In the method, the act of presenting, via the interface, therepresentation of the zone may include an act of presenting arepresentation of a zone indicating a plurality of reference values forserial numbers of the checks associated with the check book. Inaddition, the method may further include an act of presenting arepresentation of at least one authentic check of the plurality ofauthentic checks. Further, the act of presenting, via the interface, therepresentation of the check book may include an act of presenting afirst curve. Moreover, the act of presenting, via the interface, therepresentation of the zone may include an act of presenting a secondcurve indicating an upper bound of the plurality of reference values anda third curve indicating a lower bound of the plurality of referencevalues. Additionally, a subset of the actual values of the plurality ofauthentic checks may have a standard deviation and the act ofpresenting, via the interface, the representation of the zone mayinclude an act of presenting the second curve and the third curve at adistance from the first curve, the distance indicating that valuesrepresented by points on either the second curve or the third curvediffer from values represented by points on the first curve by amultiple of the standard deviation. Furthermore, the method may furtherinclude an act of presenting a plurality of axes, each axis of theplurality of axes indicating a set of potential values of an attributeof the suspect check. Also, the act of presenting, via the interface,the representation of the zone may include an act of presenting a threedimensional shape that represents the plurality of reference values.

According to another aspect a non-transitory computer readable medium isprovided. The computer readable medium has instructions stored thereonthat, when executed by at least one processor, instruct the at least oneprocessor to perform a method of providing information regarding asuspect activity identified as potentially fraudulent. The methodincludes acts of storing data describing a check book associated withplurality of checks, the plurality of checks including the suspectcheck, each check of the plurality of checks including a plurality ofattributes, each attribute of each plurality of attributes having anactual value, receiving an indication of the suspect check, presenting arepresentation of the suspect check, presenting a representation of thecheck book and presenting a representation of a zone extending from therepresentation of the check book. The representation of the zone mayindicate a plurality of reference values for at least one of theplurality of attributes of the checks of the plurality of checksassociated with the check book.

The instructions may also instruct the at least one processor to presentthe representation of the zone by presenting a representation of a zoneindicating a plurality of reference values for serial numbers of thechecks associated with the check book. In addition, the instructions mayfurther instruct the at least one processor to perform acts includingpresenting a representation of at least one authentic check of theplurality of authentic checks. Moreover, the instructions may instructthe at least one processor to present the representation of the checkbook by presenting a curve.

According to another aspect, a system for providing informationregarding a suspect activity identified as potentially fraudulent isprovided. The system includes a memory storing activity data describingthe suspect activity, the suspect activity being associated with anaccount and account data describing at least one balance metric for theaccount. The system also includes an interface coupled to the memory andconfigured to receive an indication of the suspect activity, present arepresentation of the suspect activity, present a representation of theat least one balance metric and present a representation of a timelinethat includes an indication of any previous activity identified aspotentially fraudulent and associated with the account.

In the system the representation of the at least one balance metric mayinclude a curve and a lower concave hull between local minimums of thecurve. In addition, the at least one balance metric may include a ledgerbalance, an available balance and a collected balance. Further, therepresentation of the at least one balance metric may highlightdifferences between the ledger balance, the available balance and thecollected balance. Moreover, the indication of any previous activityidentified as potentially fraudulent may include a time period and therepresentation of the timeline may span the time period. Additionally,the time period may extend beyond a time associated with the suspectactivity and a time associated any previous activity identified aspotentially fraudulent. Furthermore, the interface may be furtherconfigured to receive an adjustment of the time period via therepresentation of the timeline.

According to another aspect, a computer implemented method for providinginformation regarding a suspect activity that is potentially fraudulentis provided. The method includes acts of storing, in a memory, activitydata describing the suspect activity, the suspect activity beingassociated with an account, storing, in the memory, account datadescribing at least one balance metric for the account, receiving, viaan interface, an indication of the suspect activity, presenting, via theinterface, a representation of the suspect activity, presenting, via theinterface, a representation of the at least one balance metric andpresenting, via the interface, a representation of a timeline thatincludes an indication of any previous activity identified aspotentially fraudulent and associated with the account.

In the method, the act of presenting, via the interface, therepresentation of the at least one balance metric may include an act ofpresenting a curve and a lower concave hull between local minimums ofthe curve. In addition, the act of presenting, via the interface, therepresentation of the at least one balance metric may include an act ofpresenting a ledger balance, an available balance and a collectedbalance. Further, the act of presenting the ledger balance, theavailable balance and the collected balance may include an act ofhighlighting differences between the ledger balance, the availablebalance and the collected balance. Moreover, the act of presenting, viathe interface, the representation of the timeline may include an act ofpresenting a timeline that spans a time period associated with anyprevious activity identified as potentially fraudulent. Additionally,the act of presenting the timeline that spans the time period mayinclude an act of presenting a timeline that extends beyond a timeassociated with the suspect activity and a time associated with anyprevious activity that is suspected of being fraudulent. Furthermore,the method may further include acts of receiving a request to adjust thetime period from a user and adjusting, responsive to the request, thetime period.

According to another aspect, a non-transitory computer readable mediumis provided. The computer readable medium has instructions storedthereon that, when executed by at least one processor, instruct the atleast one processor to perform a method of providing informationregarding a suspect activity that is potentially fraudulent. The methodincludes acts of storing activity data describing the suspect activity,the suspect activity being associated with an account, storing accountdata describing at least one balance metric for the account, receivingan indication of the suspect activity, presenting a representation ofthe suspect activity, presenting a representation of the at least onebalance metric and presenting a representation of a timeline thatincludes an indication of any previous activity identified aspotentially fraudulent and associated with the account.

The instructions may also instruct the at least one processor to presentthe representation of the at least one balance metric by presenting acurve and a lower concave hull between local minimums of the curve. Inaddition, the instructions may instruct the at least one processor toreceive the indication by receiving an indication including a timeperiod and the instructions instruct the at least one processor topresent the representation of the timeline by presenting a timeline thatspans the time period. Further, the instructions may instruct the atleast one processor to present the representation of the at least onebalance metric by presenting a ledger balance, an available balance anda collected balance. Moreover, the instructions may instruct the atleast one processor to present the ledger balance, the available balanceand the collected balance with highlighted differences between theledger balance, the available balance and the collected balance.

Still other aspects, examples, and advantages of these exemplary aspectsand examples, are discussed in detail below. Moreover, it is to beunderstood that both the foregoing information and the followingdetailed description are merely illustrative examples of various aspectsand embodiments, and are intended to provide an overview or frameworkfor understanding the nature and character of the claimed aspects andembodiments. Any example disclosed herein may be combined with any otherexample in any manner consistent with at least one of the objects, aims,and needs disclosed herein, and references to “an example,” “someexamples,” “an alternate example,” “various examples,” “one example,”“at least one example,” “this and other examples” or the like are notnecessarily mutually exclusive and are intended to indicate that aparticular feature, structure, or characteristic described in connectionwith the example may be included in at least one example. Theappearances of such terms herein are not necessarily all referring tothe same example. In addition, it is to be appreciated that activitiesdeemed as potentially fraudulent, or the instruments or items used toconduct these potentially fraudulent activities, may be referred toherein as “suspect” and activities deemed non-fraudulent, and anyinstruments or items associated therewith, may be referred to herein as“valid,” “genuine” or “authentic.”

BRIEF DESCRIPTION OF DRAWINGS

Various aspects of at least one example are discussed below withreference to the accompanying figures, which are not intended to bedrawn to scale. The figures are included to provide an illustration anda further understanding of the various aspects and examples, and areincorporated in and constitute a part of this specification, but are notintended as a definition of the limits of the invention. The drawings,together with the remainder of the specification, serve to explainprinciples and operations of the described and claimed aspects andexamples. In the figures, each identical or nearly identical componentthat is illustrated in various figures is represented by a like numeral.For purposes of clarity, not every component may be labeled in everyfigure. In the figures:

FIG. 1 is a block diagram of one example of a fraud detection systemwithin a network;

FIG. 2 is a flow diagram of a method for presenting a fraud alert drivenuser interface;

FIG. 3 is a block diagram of one example of a computer system that maybe used to perform processes and functions disclosed herein;

FIG. 4 is an exemplary illustration of a fraud alert driven userinterface;

FIG. 5 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 6 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 7 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 8 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 9 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 10 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 11 is another exemplary illustration of a fraud alert driven userinterface;

FIG. 12 is another exemplary illustration of a fraud alert driven userinterface; and

FIG. 13 is another exemplary illustration of a fraud alert driven userinterface.

DETAILED DESCRIPTION

Aspects and examples disclosed herein relate to apparatus and processesfor receiving an indication of potentially fraudulent activity andgenerating a presentation of fraud detection information suitable forthe category of fraud indicated. For instance, processes and apparatusin accord with some examples receive fraud alerts that include one ormore reason codes and one or more portions of alert content. Alertcontent includes particular instances of potentially fraudulent activityand information that is pertinent to, and associated with, theseinstances. Reason codes indicate characteristics associated with theactivity that provide the basis for classifying the activity aspotentially fraudulent. For example, a reason code may indicate that aparticular transaction was drawn on an account that was opened in abranch known to have a higher risk of fraudulent activity or that theparticular transaction was drawn to an account with a history offraudulent activity.

Additionally, in some examples, alerts include a primary reason code andone or more secondary reason codes. In these examples, the primaryreason code may indicate a characteristic of the potentially fraudulentactivity that is relatively more anomalous than other, irregularcharacteristics of the transaction. For instance, a transaction may bedrawn to an account that was opened recently and that includes a serialnumber of a check that has already cleared the account. In thisinstance, the primary reason code may indicate that the transactionincludes a duplicate check serial number and the secondary reason codemay indicate that the transaction was drawn to a recently openedaccount. In other examples, the primary reason code may indicate anactivity that would not be considered anomalous but for the combinationof the primary reason code with secondary reason code(s). For instance,a transaction may be drawn for an amount above a threshold value that isapplicable only to new accounts. In this instance, the primary reasoncode may indicate that the transaction amount exceeded a thresholdassociated only with new accounts and the secondary reason code mayindicate that the check was drawn on a recently opened account.

According to some examples, alerts that share one or more commoncharacteristics are organized into queues. These queues may be used tomanage the workflow of analysts who investigate the authenticity ofpotentially fraudulent activity. For instance, in some examples, ananalyst may be assigned to work alerts that are associated with aparticular queue. In this situation, the analyst retrieves, reviews andeventually disposes of alerts that reside within her assigned queue.

In various examples, a variety of common characteristics of alerts areused to associate the alerts with one or more queues. In some of theseexamples, the queue with which an alert is associated is determined, atleast in part, by a reason code included in the alert. For instance, insuch one example, the set of queues includes a duplicate queue, adeposit queue, a kiting queue, an out-of-pattern queue and a multiqueuefor alerts that include a plurality of reason codes. Another exampleincludes parameters that enable customization of alert to queueassociations. In this instance, one or more parameters may specify thata particular queue be associated, for example, with alerts having areason code indicative of potentially fraudulent deposit activity andthat originate from activity involving branches located within aparticular geographic area, such as the southeast or mid-atlantic. FIG.13 illustrates a user interface that includes a component 1300, referredto as a “Workbench,” that displays a plurality of alerts theirassociated queues.

In other examples, components within a fraud detection interface selecta set of user interface components for presentation to a user based uponthe category of fraud indicated by an alert. In these examples, the userinterface components selected by the fraud detection interface mayinclude representations of individual checks, representations ofquasi-periodically re-occurring checks, representations of check books,representations of financial institution exposure over time andrepresentations of the probability that presented checks are authenticconsidering a plurality of check characteristics. As used herein, theterm “quasi-periodic” is used to denote activity attributes that followa substantially regular pattern. For instance, checks used to paymonthly rent are likely to be associated within a quasi-periodic group.This is so because rent checks have several quasi-periodic attributes,i.e. similar (or the same) amounts, are presented at substantially thesame time each month and are often presented by the same person orbusiness entity.

In one example where the fraud detection user interface receives areason code directed generally toward check fraud, the fraud detectionuser interface selects and displays a set of user interface componentsthat focus on attributes of individual checks. These attributes mayinclude the specific account against which the checks are drawn, serialnumbers of the checks, dates of presentment of the checks, checkamounts, the identity of the endorser and patterns involving theseattributes. In another example where the fraud detection user interfacereceives a reason code directed to deposit fraud in general, the frauddetection user interface selects and presents a set of user interfacecomponents that focus on attributes of the overall account. Theseattributes may include account balances, daily transaction totals andthe like.

In addition, some of these examples assist the user in analyzing thealert by emphasizing a particular subset of the selected user interfacecomponents as a function of one or more reason codes included in thealert. For instance, in some situations, the reason code may indicatethe presentment of a check with a serial number that is a duplicate of aserial number of a previously presented check. Such checks are likely tobe fraudulent. In these situations, the fraud detection user interfacemay emphasize the “Serial×Order Presented” component by displaying the“Serial×Order Presented” component prior to displaying other selecteduser interface. The “Serial×Order Presented” component, which isdiscussed further below with regard to FIG. 6, is selected and presentedbecause it allows the analyst to easily determine which check with theduplicate serial number better fits the overall transaction history. Inanother example, reason codes may indicate that a check has a pluralityof characteristics that, when analyzed as a whole, indicate that thecheck is an outlier to an established pattern. In this instance, thefraud detection user interface emphasizes a component that illustratesthe anomalous nature of the check such as the “Dollar Variance×SerialVariance” component discussed below with regard to FIG. 9.

Thus examples disclosed herein select and display user interfacecomponents that are relevant to the category of potentially fraudulentactivity being reported. In addition, examples disclosed hereinemphasize the specific subsets of the selected user interface componentsthat are most useful in analyzing the potentially fraudulent activity.These and additional characteristics of the fraud detection userinterface are discussed further below.

It is to be appreciated that examples of the methods and apparatusesdiscussed herein are not limited in application to the details ofconstruction and the arrangement of components set forth in thefollowing description or illustrated in the accompanying drawings. Themethods and apparatuses are capable of implementation in other examplesand of being practiced or of being carried out in various ways. Examplesof specific implementations are provided herein for illustrativepurposes only and are not intended to be limiting. In particular, acts,components, elements and features discussed in connection with any oneor more examples are not intended to be excluded from a similar role inany other examples.

Also, the phraseology and terminology used herein is for the purpose ofdescription and should not be regarded as limiting. Any references toexamples, components, elements or acts of the systems and methods hereinreferred to in the singular may also embrace examples including aplurality, and any references in plural to any example, component,element or act herein may also embrace examples including only asingularity. References in the singular or plural form are not intendedto limit the presently disclosed systems or methods, their components,acts, or elements. The use herein of “including,” “comprising,”“having,” “containing,” “involving,” and variations thereof is meant toencompass the items listed thereafter and equivalents thereof as well asadditional items. References to “or” may be construed as inclusive sothat any terms described using “or” may indicate any of a single, morethan one, and all of the described terms.

Fraud Alert Driven User Interface

Various examples disclosed herein effect a fraud alert driven userinterface on one or more computer systems. As is explained furtherbelow, examples of a fraud alert driven user interface harness thereasons that triggered the fraud alert and the content included in thefraud alert to identify one or more user interface components thatdisplay information in a manner that aids analysis and investigation ofpotentially fraudulent activity. In these examples, after identifyingthe interface components, the fraud alert driven user interface displaysthe fraud alert content within a user interface including the identifiedcomponents. FIG. 1 illustrates an example including a fraud alert drivenuser interface.

FIG. 1 includes a fraud detection system 100 coupled to a computersystem 102 via a network 104. According to various examples, the frauddetection system 100 is implemented using one or more computer systems,such as the distributed computer system 300 discussed below with regardto FIG. 3. Thus, examples of the fraud detection system 100 include avariety of hardware and software components configured to perform thefunctions described herein and examples are not limited to a particularhardware component, software component or particular combinationthereof. The network 104 may include any communication network throughwhich computer systems may exchange (i.e. send or receive) information.For example, the network 104 may be a public network, such as theinternet, and may include other public or private networks such as LANs,WANs, extranets and intranets. As shown, the computer system 102 iscoupled to, and can exchange data with, the fraud detection system 100via the network 104.

In addition, information may flow between the elements, components andsubsystems described herein using a variety of techniques. Suchtechniques include, for example, passing the information over thenetwork using standard protocols, such as TCP/IP, passing theinformation between modules in memory and passing the information bywriting to a file, database, or some other non-volatile storage device.In addition, pointers or other references to information may betransmitted and received in place of, or in addition to, copies of theinformation. Conversely, the information may be exchanged in place of,or in addition to, pointers or other references to the information.Other techniques and protocols for communicating information may be usedwithout departing from the scope of the examples disclosed herein.

In the illustrated example, the fraud detection system 100 includes afraud detection interface 106, an analytics engine 108, an empiricaldatabase 110 and a transaction and reference database 116. As discussedfurther below, the empirical database 110 includes a variety of factualinformation regarding fraudulent and non-fraudulent activities conductedby various entities. The analytics engine 108 analyzes the factualinformation using a number of advanced mathematical techniques and ranksactivities according to their risk of being fraudulent. Activitiesdetermined to have a low risk are deemed authentic and activities havinga high risk are deemed potentially fraudulent. Upon identifyingpotentially fraudulent activity, the analytics engine 108 generates andissues a fraud alert to the fraud detection interface 106 and providestransaction and reference records that correspond to the fraud alert tothe transaction and reference database 116.

In the example shown, the fraud detection interface 106 includes apresentation engine 112 and a user interface library 114. The userinterface library 114 includes a plurality of user interface componentsthat are specially configured for display in conjunction with contentincluded in fraud alerts. As with other components of the system, thesespecialized user interface components may include data structures andexecutable instructions. In addition, the user interface library 114provides a system interface through which other system components, suchas the presentation engine 112, can request instantiation of thecomponents housed within the library. Some examples of thevisualizations created by these user interface components are discussedfurther below with regard to FIGS. 4-13.

According to the example illustrated in FIG. 1, the fraud detectioninterface 106 resides on the fraud detection system 100. However, asexplained with regard to FIG. 3 below, other examples may arrange systemcomponents in a variety of configurations. For instance, in someexamples, the fraud detection interface 106 resides on at least oneclient system, such as computer system 102.

The empirical database 110 depicted in FIG. 1 includes components thatstore and retrieve empirical data. In general, this empirical mayinclude any information associated with any activity conducted byentities that may be characterized as fraudulent or authentic. The dataincluded in the empirical database 110 may be gathered from a widevariety of sources. For instance, in an example directed toward checkfraud, the systems from which data is imported include financialsoftware systems, payroll systems, and customer relationship managementsystems. In these examples, the information imported includes accountinformation, customer information, branch information, employeeinformation and financial transaction information. In addition, theempirical database 110 may include an audit trail detailing the date andtime of any changes made to the data contained within.

The transaction and reference database 116 depicted in FIG. 1 includescomponents that store and retrieve transaction and referenceinformation. In general, this transaction and reference information mayinclude any information associated with a fraud alert. In many examples,transaction and reference information provides additional detailregarding the empirical data that triggered the fraud alert. Thisinformation may include transactional information such as transactionamount, transaction date and time and the identity of the personconducting the transaction, as well as indications of the referenceinformation associated with the transaction. This reference informationmay include account information, branch information, customerinformation, and relationships between accounts, customers and branches.

Together, the empirical database 110 and the transaction and referencedatabase 116 define, or may be used to define, a wide variety ofattributes and attribute values for fraudulent and non-fraudulentactivities. Examples of activity attributes may include any of the typesof data discussed above with regard to the empirical database 110 or thetransaction and reference database 116, such as customer information,account information or transactional information. In some examples,activity attributes and attribute values also include metrics, summariesor other calculated characterizations of underlying data. Examples ofsuch calculated characterizations include membership of a check in aquasi-periodic group or association of a check with a particularcheckbook. Also, in some examples, activity attributes (and attributevalues) may describe not only accounts, checks or customers directlyinvolved with the activity but may also indicate items or entitiesindirectly associated with suspect activity. For instance, attributes ofa potentially fraudulent activity may include indications of customers,accounts or items that are not directly involved in a suspecttransaction.

Conversely, in some examples, activity attributes include indications ofone or more accounts that the analytics engine 108 determines to beintimately involved with a suspect account. In these examples, intimateaccounts include two or more accounts that are strongly associated withone another. These associations may be based on a number of accountattributes. For instance, accounts may be deemed intimate if theaccounts are jointly owned, share the same phone number or address, arereferenced in a high number of transactions involving one another or arereferenced in transactions that move large percentages of balancesbetween the accounts. Intimate accounts may be held at a singlefinancial institution or may be held at multiple financial institutions.

Information, including empirical data and transaction and referencedata, may be stored on the fraud detection system 100 in any logicalconstruction capable of storing information on a computer readablemedium including, among other structures, flat files, indexed files,hierarchical databases, relational databases or object orienteddatabases. The data may be modeled using unique and foreign keyrelationships and indexes. The unique and foreign key relationships andindexes may be established between the various fields and tables toensure both data integrity and data interchange performance.

Continuing the example shown in FIG. 1, the presentation engine 112processes fraud alerts received from the analytics engine 108. Accordingto some examples, the presentation engine 112 includes components thatenable the user to interact with the user interface. These interactivecomponents may include the specially configured user interfacecomponents discussed herein or may include other user interfacecomponents. In at least one example, these interactive components allowa user to navigate the various components that make up a user interface,such as different controls, frames and screens. The particular makeup ofuser interfaces presented by the presentation engine is discussedfurther below with regards to the FIG. 4-13.

In some examples, the presentation engine 112 determines and presentsattributes of a user interface that are appropriate for efficientanalysis of potentially fraudulent activity. For instance, in at leastone example, the presentation engine 112 tailors the timescale accordingto the reason codes and alert content included in a fraud alert.According to this example, the reason codes may indicate that a thirdparty has potentially taken over a deposit account. In this instance,the alert content may indicate a particular period of time (for example,3 days) during which customer information (such as address and emailinformation) was altered and an unusual transaction was conducted. Inthis instance, the presentation engine 112 may display a user interfacein accord with FIG. 5, which is described further below. Within thiscontext, the presentation engine 112 may display a detailed view of allaccount activity conducted within, or substantially near, the particularperiod of time indicated within the alert content. In addition, thepresentation engine 112 may further include representations for thechanges to the customer information in the form of gridlines such asgridline 1100 shown in FIG. 11.

According to another example, the reason codes may indicate potentialcheck kiting fraud. In this instance the presentation engine 112 maydisplay a user interface in accord with FIG. 10 which is describedfurther below. Within this context, the presentation engine 112 maydisplay cyclical amount transfers between intimate source anddestination accounts within a relatively short period of time (forexample, 1-2 weeks). However, if the reason codes indicate potentialcheck kiting fraud based primarily on previous kiting fraud alerts, thepresentation engine 112 may display a user interface in accord with FIG.10 that spans a significantly longer period of time (for example, 6-12months). This longer time horizon enables users to analyze the completeset of potentially fraudulent activities that triggered the fraud alert.

In this way, the presentation engine 112 provides the user with theinformation necessary to take corrective action that is appropriategiven the risk presented. For example, if the user determines an accounthas been taken over by a third party, the user may close the account.However, if the user determines that the activity presented as potentialcheck kiting by the presentation engine 112 is actually nothing morethan loose account management, the user may adjust the hold period oroverdraft policy for the account.

According to some examples, the presentation engine 112 determines thedefault view presented to a user based on the strength of an associationbetween the potentially fraudulent item and one or more comparableitems. Within user interfaces displayed according to this example, thepresentation engine 112 presents items that the analytics engine 108deems as authentic as comparable items to provide a user with adequatecontext in which to analyze the authenticity of the potentiallyfraudulent item. Some of these examples are discussed below with regardto FIGS. 5-9. In these examples, the presentation engine 112 selectsthese comparable items based on a variety of criteria. For instance,according to some examples, the presentation engine 112 presents, ascomparable items, checks that belong to the same check book along withthe potentially fraudulent check. FIGS. 6 and 7, which are discussedfurther below, illustrate two such examples. If, however, the check bookto which the potentially fraudulent item belongs cannot be determined,the presentation engine 112 presents, as comparable items, checks thatbelong to a series of checks having a quasi-periodically re-occurringamount. FIG. 8, which is also discussed further below, illustrates onesuch example. Further, according to some examples, if neither a checkbook, nor quasi-periodic series can be determined for the potentiallyfraudulent item, the presentation engine 112 presents the potentiallyfraudulent item within a display that characterizes the multivariatedistance between the potentially fraudulent item and the values expectedfor the item's serial number and amount. FIG. 9, described furtherbelow, illustrate one example of such a user interface.

In some examples, the presentation engine 112 may alter the default viewpresented based on the existence of a configuration parameter definingparticular default views. In other examples, the presentation engine 112may alter the default view presented based on the strength of anassociation between the potentially fraudulent item and one or morecomparable items. For instance, if the association between thepotentially fraudulent item and the series of quasi-periodic checkstransgresses a predetermine threshold, the presentation engine 112displays a user interface in accord with FIG. 9, rather than a userinterface in accord with FIG. 6, 7 or 8. Also, according to anotherexample, if the reason codes and alert content indicate that thepotentially fraudulent nature of the item is significantly more evidencewhen comparing multiple characteristics of the potentially fraudulentitem to their expected values, rather than when comparing individualcharacteristics, the presentation engine 112 displays a user interfacein accord with FIG. 9.

Presentation Processes

An example of the method implemented by the presentation engine 112 isillustrated in FIG. 2. In this example, the process 200 includes acts ofreceiving a fraud alert, determining which user interface componentsbest suit the reason codes included in the fraud alert and presenting auser interface including the user interface components, fraud alertcontent and transaction and reference information. Process 200 begins at202.

In act 204, a fraud alert is received from the analytics engine 108.According to various examples, the presentation engine 112 receives thefraud alert via a system interface provided by the presentation engine112. Upon receipt of the fraud alert, the presentation engine 112 parsesone or more reason codes and additional alert content from the fraudalert and stores each in memory for subsequent processing. In someexamples, the reason codes are categorized into fraud categories thatindicate one or more categories of potentially fraudulent activity. Inone example directed toward check fraud, these fraud categories includeon-us fraud and deposit fraud. In this example, reason codes belongingto the check fraud category include reasons codes that indicate activityinvolving on-us fraud, duplicate checks, checks with suspicious amounts,checks written on suspect accounts and checks with characteristics thatfall outside established patterns. Also, in this example, reason codesbelonging to the deposit fraud category include reason codes thatindicate activity involving deposits with characteristics that falloutside an established pattern, transactions conducted in suspectlocations, accounts causing the financial institution to sufferincreased exposure, accounts exhibiting an increasing negative balancecollected, accounts with a large amount of activity given the length oftime they have been open, accounts associated with large payments,accounts associated with a new branch, accounts with previously returnedchecks, accounts exhibiting an increase in the rate of returned checks,accounts associated with previous alerts and account with an unusualexposure.

In act 206, one or more user interface components are identified thatare suitable to display alert content given the one or more reason codesparsed from the fraud alert. In some examples, the presentation engine112 consults an associative data structure that associates reason codeswith particular user interface components and issues requests to theuser interface library 114 to instantiate user interface componentsassociated with the one or more reason codes. In an example directedtoward check fraud, the user interface components that are associatedwith reason codes belonging to the check fraud category includerepresentations of individual checks, representations of checks withquasi-periodically re-occurring amounts, representations of check booksand representations of the probability that presented checks areauthentic considering a plurality of check characteristics. According tothis example, the user interface components that are associated withreason codes belonging to the deposit fraud category includerepresentations of various account balances, representations offinancial institution exposure over time and specialized time linecontrols that present the history of particular accounts.

In act 208, a user interface is presented to a user that includes theuser interface components and alert content. In some examples, thepresentation engine 112 also presents information from the transactionand reference database 116 within the user interface. In these examples,the presentation engine 112 requests transaction and referenceinformation associated with the fraud alert from the transaction andreference database 116. In at least one example, the presentation engine112 requests some types of transaction and reference information as afunction of the category of potentially fraudulent activity beingreported. For instance, in an example where the reason code indicatespotential check kiting, the presentation engine 112 requests accountbalance information for the suspect account, standard transaction andreference information, such as account and customer information andoptional transaction and reference information, such informationregarding foreign accounts that are intimately involved with suspectaccount. In this example, the presentation engine 112 requests thestandard information in response to receiving an alert and requests theoptional information in response to the presence, within the alert, ofthe reason code that indicates potential check kiting.

After the presentation engine 112 receives the requested information,the presentation engine 112 presents this information along with theuser interface components. Depending on the nature of the each userinterface component, the alert content and transaction and referenceinformation may be presented within the user interface component,adjacent to the user interface component or simply in association withthe user interface component. Particular examples of these speciallyconfigured user interface components are discussed below with referenceto FIGS. 4-13.

Process 200 ends at 210. Data driven fraud interface activities inaccord with process 200 enable a system to present user interfaces thatare structured to display information that is particularly pertinent tothe potentially fraudulent activity under investigation. In this way,processes in accord with process 200 provide users with guidance toeffectively and efficiently dispose of fraud alerts raised by thesystem.

Process 200 depicts one particular sequence of acts in a particularexample. The acts included in process 200 may be performed by, or using,one or more computer systems specially configured as discussed herein.Some acts are optional and, as such, may be omitted in accord with oneor more examples. Additionally, the order of acts can be altered, orother acts can be added, without departing from the scope of the systemsand methods discussed herein. In addition, as discussed above, in atleast one example, the acts are performed on a particular, speciallyconfigured machine, namely a computer system configured according to theexamples disclosed herein.

Computer System

As discussed above with regard to FIG. 1, various aspects and functionsmay be implemented as specialized hardware or software componentsexecuting in one or more computer systems. There are many examples ofcomputer systems that are currently in use. These examples include,among others, network appliances, personal computers, workstations,mainframes, networked clients, servers, media servers, applicationservers, database servers and web servers. Other examples of computersystems may include mobile computing devices, such as cellular phonesand personal digital assistants, and network equipment, such as loadbalancers, routers and switches. Further, aspects may be located on asingle computer system or may be distributed among a plurality ofcomputer systems connected to one or more communications networks.

For example, various aspects and functions may be distributed among oneor more computer systems configured to provide a service to one or moreclient computers, or to perform an overall task as part of a distributedsystem. Additionally, aspects may be performed on a client-server ormulti-tier system that includes components distributed among one or moreserver systems that perform various functions. Consequently, examplesare not limited to executing on any particular system or group ofsystems. Further, aspects and functions may be implemented in software,hardware or firmware, or any combination thereof. Thus, aspects andfunctions may be implemented within methods, acts, systems, systemelements and components using a variety of hardware and softwareconfigurations, and examples are not limited to any particulardistributed architecture, network, or communication protocol.

Referring to FIG. 3, there is illustrated a block diagram of adistributed computer system 300, in which various aspects and functionsmay be practiced. The distributed computer system 300 may include onemore computer systems that exchange (i.e. send or receive) information.For example, as illustrated, the distributed computer system 300includes computer systems 302, 304 and 306. As shown, the computersystems 302, 304 and 306 are interconnected by, and may exchange datathrough, a communication network 308. The network 308 may include anycommunication network through which computer systems may exchange data.To exchange data using the network 308, the computer systems 302, 304and 306 and the network 308 may use various methods, protocols andstandards, including, among others, Fibre Channel, Token Ring, Ethernet,Wireless Ethernet, Bluetooth, IP, IPV6, TCP/IP, UDP, DTN, HTTP, FTP,SNMP, SMS, MMS, SS7, JSON, SOAP, CORBA, REST and Web Services. To ensuredata transfer is secure, the computer systems 302, 304 and 306 maytransmit data via the network 308 using a variety of security measuresincluding, for example, TSL, SSL or VPN. While the distributed computersystem 300 illustrates three networked computer systems, the distributedcomputer system 300 is not so limited and may include any number ofcomputer systems and computing devices, networked using any medium andcommunication protocol.

FIG. 3 illustrates a particular example of a distributed computer system300 that includes computer system 302, 304 and 306. As illustrated inFIG. 3, the computer system 302 includes a processor 310, a memory 312,a bus 314, an interface 316 and data storage 318. The processor 310 mayperform a series of instructions that result in manipulated data. Theprocessor 310 may be a commercially available processor such as an IntelXeon, Itanium, Core, Celeron, Pentium, AMD Opteron, Sun UltraSPARC, IBMPower5+, or IBM mainframe chip, but may be any type of processor,multiprocessor or controller. The processor 310 is connected to othersystem components, including one or more memory devices 312, by the bus314.

The memory 312 may be used for storing programs and data duringoperation of the computer system 302. Thus, the memory 312 may be arelatively high performance, volatile, random access memory such as adynamic random access memory (DRAM) or static memory (SRAM). However,the memory 312 may include any device for storing data, such as a diskdrive or other non-volatile storage device. Various examples mayorganize the memory 312 into particularized and, in some cases, uniquestructures to perform the functions disclosed herein and these datastructures may be tailored to store values for particular types of data.

Components of the computer system 302 may be coupled by aninterconnection element such as the bus 314. The bus 314 may include oneor more physical busses, for example, busses between components that areintegrated within a same machine, but may include any communicationcoupling between system elements including specialized or standardcomputing bus technologies such as IDE, SCSI, PCI and InfiniBand. Thus,the bus 314 enables communications, such as data and instructions, to beexchanged between system components of the computer system 302.

The computer system 302 also includes one or more interface devices 316such as input devices, output devices and combination input/outputdevices. Interface devices may receive input or provide output. Moreparticularly, output devices may render information for externalpresentation. Input devices may accept information from externalsources. Examples of interface devices include keyboards, mouse devices,trackballs, microphones, touch screens, printing devices, displayscreens, speakers, network interface cards, etc. Interface devices allowthe computer system 302 to exchange information and communicate withexternal entities, such as users and other systems.

The data storage 318 may include a computer readable and writeablenonvolatile (non-transitory) data storage medium in which instructionsare stored that define a program or other object that may be executed bythe processor 310. The data storage 318 also may include informationthat is recorded, on or in, the medium, and this information may beprocessed by the processor 310 during execution of the program. Morespecifically, the information may be stored in one or more datastructures specifically configured to conserve storage space or increasedata exchange performance. The instructions may be persistently storedas encoded signals, and the instructions may cause the processor 310 toperform any of the functions described herein. The medium may, forexample, be optical disk, magnetic disk or flash memory, among others.In operation, the processor 310 or some other controller may cause datato be read from the nonvolatile recording medium into another memory,such as the memory 312, that allows for faster access to the informationby the processor 310 than does the storage medium included in the datastorage 318. The memory may be located in the data storage 318 or in thememory 312, however, the processor 310 may manipulate the data withinthe memory 312, and then copy the data to the storage medium associatedwith the data storage 318 after processing is completed. A variety ofcomponents may manage data movement between the storage medium and othermemory elements and examples are not limited to particular datamanagement components. Further, examples are not limited to a particularmemory system or data storage system.

Although the computer system 302 is shown by way of example as one typeof computer system upon which various aspects and functions may bepracticed, aspects and functions are not limited to being implemented onthe computer system 302 as shown in FIG. 3. Various aspects andfunctions may be practiced on one or more computers having a differentarchitectures or components than that shown in FIG. 3. For instance, thecomputer system 302 may include specially programmed, special-purposehardware, such as an application-specific integrated circuit (ASIC)tailored to perform a particular operation disclosed herein. Whileanother example may perform the same function using a grid of severalgeneral-purpose computing devices running MAC OS System X with MotorolaPowerPC processors and several specialized computing devices runningproprietary hardware and operating systems.

The computer system 302 may be a computer system including an operatingsystem that manages at least a portion of the hardware elements includedin the computer system 302. In some examples, a processor or controller,such as the processor 310, executes an operating system. Examples of aparticular operating system that may be executed include a Windows-basedoperating system, such as, Windows NT, Windows 2000 (Windows ME),Windows XP, Windows Vista or Windows 7 operating systems, available fromthe Microsoft Corporation, a MAC OS System X operating system availablefrom Apple Computer, one of many Linux-based operating systemdistributions, for example, the Enterprise Linux operating systemavailable from Red Hat Inc., a Solaris operating system available fromSun Microsystems, or a UNIX operating systems available from varioussources. Many other operating systems may be used, and examples are notlimited to any particular operating system.

The processor 310 and operating system together define a computerplatform for which application programs in high-level programminglanguages may be written. These component applications may beexecutable, intermediate, bytecode or interpreted code whichcommunicates over a communication network, for example, the Internet,using a communication protocol, for example, TCP/IP. Similarly, aspectsmay be implemented using an object-oriented programming language, suchas .Net, SmallTalk, Java, C++, Ada, or C# (C-Sharp). Otherobject-oriented programming languages may also be used. Alternatively,functional, scripting, or logical programming languages may be used.

Additionally, various aspects and functions may be implemented in anon-programmed environment, for example, documents created in HTML, XMLor other format that, when viewed in a window of a browser program,render aspects of a graphical-user interface or perform other functions.Further, various examples may be implemented as programmed ornon-programmed elements, or any combination thereof. For example, a webpage may be implemented using HTML while a data object called fromwithin the web page may be written in C++. Thus, the examples are notlimited to a specific programming language and any suitable programminglanguage could be used. Thus, functional components disclosed herein mayinclude a wide variety of elements, e.g. executable code, datastructures or objects, configured to perform the functions describedherein.

In some examples, the components disclosed herein may read parametersthat affect the functions performed by the components. These parametersmay be physically stored in any form of suitable memory includingvolatile memory (such as RAM) or nonvolatile memory (such as a magnetichard drive). In addition, the parameters may be logically stored in apropriety data structure (such as a database or file defined by a usermode application) or in a commonly shared data structure (such as anapplication registry that is defined by an operating system). Inaddition, some examples provide for both system and user interfaces thatallow external entities to modify the parameters and thereby configurethe behavior of the components.

Exemplary User Interfaces

As discussed above, some examples are directed toward a fraud alertdriven user interface that presents user interface components speciallyconfigured to display fraud detection information. FIG. 4 illustratesone example of a fraud alert driven user interface 400 prior toreceiving a fraud alert. As shown, the user interface 400 includes analert panel 402, a chart frame 404, a transactions frame 406, a detailand content frame 408, a customer detail frame 410, an account detailframe 412 and a notes frame 414. The alert panel 402 is configured topresent summary information regarding a fraud alert. This summaryinformation may include one or more reasons that the fraud alert wasgenerated and alert content included in the fraud alert. For instance,as shown in FIG. 4, the alert panel 402 includes an analyst bar and analert bar. The analyst bar provides information identifying the user andthe queue that the user is working. The alert bar displays an alertscore and reason code information indicating one or more reason codesincluded in the fraud alert. In the illustrated example, the reason codeinformation is referred to as “Categories.” Additionally, in someexamples, the alert score is a metric that indicates the level ofconfidence that a potentially fraudulent activity is, in fact,fraudulent.

The chart frame 404 provides an area for specialized user interfacecomponents capable of visualizing a variety of summary-level frauddetection information. The particular visualization shown in the chartframe 404 depends on the reasons underlying a fraud alert. For instance,if the primary reason for the fraud alert is indicative of check fraud,the visualizations displayed in the chart frame 404 will focus ondisplay of the potentially fraudulent item within the context ofcomparable, trustworthy items. Alternatively, if the primary reason forthe fraud alert is indicative of deposit fraud, the visualizationsdisplayed in the chart frame will aggregate large numbers of individualtransactions to provide a user with an overall perspective of accountactivity.

As is explained further below, some of the components displayed in thechart frame 404 receive user requests to present alternativevisualizations or to affect the information displayed in othercomponents of the user interface 400. For instance, in the someexamples, a user can filter, or restrict, the information shown incomponents included in the transactions frame 406 by interacting withcomponents included the chart frame 404. Additionally, in some examples,the fraud detection interface 106 generates representations within thechart frame 404 from a variety of data sources including the transactionand reference database 116.

Continuing the example shown in FIG. 4, the transactions frame 406provides an area for components that display mid-level transactionalinformation to a user. As discussed below, the particular transactioninformation displayed within the transaction frame 406 varies based onthe reasons underlying the fraud alert and the information selectedwithin the chart frame 404. Also, in some examples, the componentsincluded in the transaction frame 406 interact with the user to selectparticular transactional information or to affect the informationdisplayed in other components of the user interface 406. For instance,in the these examples, the user can filter, or restrict, the informationshown in the detail and content frame 408 by interacting with one ormore components included the transaction frame 406.

As shown, the detail and content frame 408 provides an area to displayfurther details regarding the fraud alert. The particular detailinformation displayed is based on the reasons underlying the fraud alertand the information selected within the transaction frame 406. Accordingto some examples, this detailed information further documents thecharacteristics of the transactions selected in the transactions frame406 and may include information gathered from other systems.

In the example shown, frames 410, 412 and 414 provide an area to displayadditional context to the user investigating a fraud alert. The customerdetail frame 410 is configured to present customer related informationand, in some examples, displays customer information such as name,address, social security number and accounts associated with a customer.Like other components described above, the customer detail frame 410interacts with a user and allows a user to affect the informationdisplayed in other components of the user interface 406. For instance,in the illustrated example, a user can select a particular accountwithin the customer details frame 410 and thereby cause the accountdetails frame 412 to display information regarding the selected account.The account details frame 412 is configured to display account relatedinformation. In some examples, the account details frame 412 displaysinformation such as account type, account status and balanceinformation. The notes frame 414 is configured to interact with the userto record information pertinent to the fraud alert under investigation.

FIG. 5 illustrates the fraud alert driven user interface 400 from FIG. 4after the presentation engine 112 has received and processed a fraudalert with a primary reason code that indicates potential check fraud.In the example shown, the analytics engine 108 issued the fraud alertbecause a check was presented with a relatively normal amount, a serialnumber that was out of sequence and a period of time between the currentpresentment and a previous presentment from the same check booktransgress a threshold. The presentation engine 112 has altered thealert panel 402 to display this reason along with customer information,account information and the serial number of the potentially fraudulentcheck, which in this instance is #501. The presentation engine 112 hasalso altered the chart frame 404 to include a specialized user interfacecomponent 500, referred to as “Serial×Date Presented,” that plots pointrepresentations of checks within a two-dimensional grid. In theillustrated example, these representations of checks take the form ofsmall white squares. As shown, the vertical axis of the grid representsthe serial numbers of checks presented for this account and thehorizontal axis of the grid represents the dates that the checks werepresented. The Serial×Date Presented component 500 also displays acomparable item, namely check #1373, which presentation engine 112 orthe analytics engine 108 deems as authentic. This comparable item ispresented to provide the user with context in which to investigate andevaluate the authenticity of the potentially fraudulent item, check#501. The Serial×Date Presented component 500 is configured to changethe comparable item responsive to a selection, by the user, of anotherrepresentation of a check within the grid. Furthermore, in theillustrated example, the chart frame 404 also includes a set ofalternative visualization components 502 that are selectable by the userto change the user interface component displayed in the chart frame 404.

In addition, as shown in FIG. 5, the presentation engine 112 has alteredthe transactions frame 406 to include a specialized user interfacecomponent 504, referred to as “Checks,” that presents an image of thepotentially fraudulent check #501 and the comparable check #1373. Thepresentation engine 112 has also modified the detail and content frame408 to include a specialized user interface component 506, referred toas “Additional Check Views,” that presents additional images of thechecks shown in the Checks component 504. In this example, the frauddetection user interface 106 receives these images via a systeminterface between the fraud detection user interface 106 and an externalcheck imaging system. Upon receiving an indication that the user wishesto compare the potentially fraudulent check against another comparableitem, the presentation engine 112 changes the images presented in theChecks component 504 and the Additional Check Views component 506 toimages associated with the new comparable item. Also, in this example,the presentation engine 112 highlights the potentially fraudulent itemwith a red color and the comparable item with a green color to furtherdistinguish the two. In other examples, the presentation engine 112 usesother highlighting methods such as changing the characteristics of thefont or causing font to flash and examples are not limited to aparticular highlighting technique. In addition, although the exampleshown in FIG. 5 presents a particular set of visual representations forchecks and a particular orientation of axes and gridlines, otherexamples may employ other representations and orientations and examplesare not limited to specific representations or orientations.

FIG. 6 illustrates the fraud alert driven user interface 400 from FIG. 5after the presentation engine 112 has received and processed a userrequest for an alternative visualization from the set of alternativevisualization components 502. The presentation engine 112 has alteredthe chart frame 404 to include a specialized user interface component600, referred to as “Serial×Order Presented,” that plots pointrepresentations of checks within a two-dimensional grid. In theillustrated example, the vertical axis of the grid represents the serialnumbers of checks presented for this account and the horizontal axis ofthe grid represents the dates on which the checks were presented. Incomparison to other user interface components that present date basedviews, order based views spread out clusters of check activity so thatthe representations of the checks are equally spaced along the axis thatrepresents the order of presentment.

In the illustrated example, the Serial×Order Presented component 600also displays representations of check books associated with the checks.These representations take the form of green lines extending from leftto right within the grid. Like the comparable item, theserepresentations are presented to provide the user with context in whichto investigate and evaluate the authenticity of the potentiallyfraudulent item, check #501. In some examples, the representation of thecheck book is drawn with a slope, or other indication, that representsthe rate at which checks have been historically presented from eachcheck book. Checks whose representations fall closer to such arepresentation of a check book are more likely to be authentic. TheSerial×Order Presented component 600 is configured to drill down into aparticular check book responsive to the user selecting therepresentation of the check book within the grid.

FIG. 7 illustrates the fraud alert driven user interface 400 from FIG. 6after the Serial×Order Presented component 600 has received andprocessed a user request to drill down into a particular check book,which in this instance is “Book 1100-1400.” In the illustrated example,the Serial×Order Presented component 700 displays, in addition to therepresentation of a check book described with regard to FIG. 6, arepresentation of a set of reference serial numbers associated with thecheck book. In the illustrated example, the representation of thereference serial numbers takes the form of a green zone or rangeextending from the representation of the check book within the grid. Insome examples, the representation of the reference serial numbers isdrawn to indicate all serial numbers within which serial numbers ofpresented checks may fall and be within one standard deviation of theirexpected serial numbers. In these examples, the standard deviation andthe expected value of the serial numbers are calculated from apopulation of authentic checks associated with the account. Checks whoserepresentations fall within such a representation of the referenceserial numbers are more likely to be authentic.

Like the comparable item, the representation of the reference serialnumbers is displayed to provide the user with context in which toinvestigate and evaluate the authenticity of a potentially fraudulentitem. In the illustrated example, check number #501 appears risky andfraudulent because its representation falls outside of the zonerepresentation of the reference serial numbers and therefore varies fromthe normal, expected value for serial number by more than one standarddeviation. Conversely, check number #1373 is less risky and appears tobe authentic because its representation falls within the zone.

While the illustrated example employs a zone to represent referencevalues of a single attribute, examples are not limited to a particularnumber of attributes. For instance, other examples may employ cylindersor other three dimensional geometric figures to represent referencevalues of two attributes. Thus, examples are not limited to a particularnumber of reference values or attributes.

FIG. 8 illustrates the fraud alert driven user interface 400 from FIG. 5after the presentation engine 112 has received and processed a userrequest for an alternative visualization from the set of alternativevisualization components 502. The presentation engine 112 has alteredthe chart frame 404 to include a specialized user interface component800, referred to as “Amount×Date Presented,” that plots pointrepresentations of checks within a two-dimensional grid. In theillustrated example, the vertical axis of the grid represents the amountof the checks presented for this account and the horizontal axis of thegrid represents the date that the checks were presented.

In the illustrated example, the Amount×Date Presented component 800 alsodisplays representations of checks that the analytics engine 108 hasdetermined are quasi-periodically re-occurring checks, i.e. checks withperiodically re-occurring amounts. These representations take the formof de-emphasized, horizontal gray lines extending from left to rightwithin the grid. As shown, these representations link eachquasi-periodically re-occurring check into a group of quasi-periodicallyre-occurring checks. In addition, these representations may be presentat all times during the display of the Amount×Date Present component 800or may only be visible where a mouse, or other input device, hovers overone of the members of the periodically re-occurring group of checks Likethe comparable item, these representations are presented to provide theuser with context in which to investigate and evaluate the authenticityof the potentially fraudulent item, check #501.

Periodically re-occurring checks are lower risk items and thereforeprovide a sound basis for comparison with potentially fraudulent items.In some examples, representations of the periodically re-occurringchecks are drawn with characteristics that differentiate theperiodically re-occurring checks from the non-periodically re-occurringchecks, thereby highlighting the non-periodically re-occurring checksfor additional scrutiny. For instance, according to one example, theAmount×Date Presented component 800 displays periodically re-occurringchecks as gray circles rather than white squares.

FIG. 9 illustrates the fraud alert driven user interface 400 from FIG. 5after the presentation engine 112 has received and processed a userrequest for an alternative visualization from the set of alternativevisualization components 502. The presentation engine 112 has alteredthe chart frame 404 to include a specialized user interface component900, referred to as “Dollar Variance×Serial Variance,” that plots pointrepresentations of checks within a two-dimensional grid. In theillustrated example, the vertical axis of the grid represents thevariance between the actual presented amount and an expected amount foreach presented check associated with an account and the horizontal axisof the grid represents the variance between the actual presented serialnumber and an expected serial number for each presented check associatedwith the account. According to this example, the expected amounts andserial numbers are determined with reference to a population ofauthentic checks associated with the account.

In the illustrated example, the Dollar Variance×Serial Variancecomponent 900 also displays representations of reference values foramounts and serial numbers. These reference values are calculated fromthe population of authentic checks associated with the account. In theillustrated example, the representations of the reference values takethe form of concentric circles. Each concentric circle is shaded green,with the shading of larger circles have greater transparency relative tosmaller circles. In some examples, the representations of the referencevalues are drawn to reflect all amounts and serial numbers within whichactual presented amounts or serial numbers of checks may fall and bewithin some predetermined number of standard deviations from theirexpected amount and serial number.

Also as shown in this example, the Dollar Variance×Serial Variancecomponent 900 includes three concentric circles. The smallest concentriccircle represents the amounts and serial numbers of checks that fallwithin one standard deviation of their expected amount and serialnumber. The next largest concentric circle represents the amounts andserial numbers of checks that fall within two standard deviations oftheir expected amount and serial number, and the largest concentriccircle represents the amounts and serial numbers of checks that fallwithin three standard deviations of their expected amount and serialnumber. The closer the representation of any given check is to thecenter of the Dollar Variance×Serial Variance component 900, the lowerthe risk associated with the check. This is so because fraudulent checksare not generally presented with amounts and serial numbers that arerelatively close to amounts and serial numbers of authentic checks. Infact, fraudulent checks are more likely to be extreme with regard tothese attributes. Hence the relative risk of a check being fraudulentincreases as the attributes of the check cause its representation tomove from the origin, and particularly when its representation movesinto the first quadrant.

In the illustrated example, check number #501 appears fraudulent becauseits representation falls outside of the third concentric circle. Inparticular, the amount of check number #501 varies from the normal,expected value by more than three standard deviations and the serialnumber varies from the normal, expected value by more than two standarddeviations. Conversely, check number #1373 appears to be authenticbecause its representation falls within the first concentric circle.

While the illustrated example employs concentric circles to representreference values of two attributes, examples are not limited to aparticular number of attributes or a particular geometry. Some examplesmay employ other shapes, such as squares, rectangles, or any otherregular or irregular polygons. Other examples may employ spheres orother higher dimensional shapes to represent reference values of aplurality of attributes. Thus, examples are not limited to a particularnumber of reference values, attributes or a particular geometricrepresentation thereof.

Similarly, while the example shown in FIG. 9 displays reference valuesthat are based on the standard deviation of a population of checks,other examples may employ other measures and representations ofrareness. For instance, some examples may display reference values thatare level sets of the relative risk of a given pair of attributes beingfraudulent as compared to the risk that a pair of attributescorresponding to the origin is fraudulent. This particular choice isespecially useful where training examples that are known to befraudulent are available.

FIG. 10 illustrates the fraud alert driven user interface 400 from FIG.4 after the presentation engine 112 has received and processed a fraudalert with a primary reason code that indicates potential deposit fraud.In the example shown, the analytics engine 108 issued the fraud alertbecause of unusual activity associated with the account that has causeda divergence between three account balance metrics: ledger balance,available balance and collected balance. The ledger balance representsthe amount of money reported to a customer in response to a balanceinquiry. The available balance represents the amount of money to which acustomer can actually gain access. The collected balance is the amountof deposited money that the financial institution has collected.Divergence of these three metrics is indicative of an account in stressand that exposes the back to risk of loss.

As shown in FIG. 10, the presentation engine 112 has altered the alertpanel 402 to display the reason for the fraud alert along with customerinformation, account information and the current date. The presentationengine 112 has also altered the chart frame 404 to include a specializeduser interface component 1000, referred to as “Balances,” that plotsrepresentations of the ledger balance, the available balance and thecollected balance over a particular period of time. The period of timepresented by the Balances component 1000 is represented and controlledby a specialized timeline control component 1002.

In the illustrated example, the Balances component 1000 has set thetimeline control 1002 to the time period designated as relevant by theanalytics engine 108 within the alert content. However, the timelinecontrol 1002 is configured to modify the period of time displayed by theBalances component 1000 responsive to requested change by the user. Inaddition, as shown in FIG. 10, the timeline control 1002 includesindications of past fraud alerts embedded within the control itself.These indications provide a user with additional context wheninvestigating potentially fraudulent activities.

As depicted in FIG. 10, the Balances component 1000 represents each ofthe balance metrics by a line drawn between point representations of thedaily values of each metric. The Balances component 1000 also highlightsdifferences between the balance metrics. In the illustrated example, therepresentation of the ledger balance is drawn in blue and therepresentations of the available balance and the ledger balance aredrawn in red. The area between the ledger balance and the availablebalance is shaded in blue. This shade of blue in this area has a highertransparency than the representation of the ledger balance. The areabetween the available balance and the collected balance is shaded inred. Furthermore, the presentation engine 112 has affixed a lowerconcave hull 1008 to the collected balance to represent the overalltrend of the account distress.

In addition, as shown in FIG. 10, the presentation engine 112 hasaltered the transactions frame 406 to include a specialized userinterface component 1004, referred to as “Alert History,” that presentsa summary of previous fraud alerts generated for the account underinvestigation. The Alert History component 1004 is configured to receiveone or more indicators from a user that designate particular historicalalerts of interest. The presentation engine 112 has also modified thedetail and content frame 408 to include a specialized user interfacecomponent 1006, referred to as “Alert Details,” that presents detailsfor previous fraud alerts. Upon receiving an indicator that the user hasselected one or more particular historical alerts displayed within theAlert History component 1004, the Alert Details component 1006 displaysdetailed information from the transaction and reference database 116regarding the indicated historical fraud alerts.

FIG. 11 illustrates the fraud alert driven user interface 500 from FIG.5 after the presentation engine 112 has received and processed a fraudalert with a primary reason code that indicates potential takeover ofthe account by a third party. In the example shown, the presentationengine 112 has inserted the gridline 1100 to indicate the date on withreference information associated with the account was changed.

FIG. 12 illustrates the fraud alert driven user interface 400 from FIG.4 after the presentation engine 112 has received and processed a fraudalert with a primary reason code that indicates potential check kiting.In the example shown, the presentation engine 112 has altered the alertpanel 402 to display the reason for the fraud alert along with customerinformation, account information and the current date. The presentationengine 112 has also altered the chart frame 404 to include a specializeduser interface component 1200, referred to as “Transactions,” thatplots, within a two dimensional grid, representations of thetransactions that have occurred within an account over a particularperiod of time. In the illustrated example, the vertical axis of thegrid represents an amount debited or credited and the horizontal axis ofthe grid represents a time period in which the transaction occurred. Asshown, the Transactions component 1200 includes a set of bars thatrepresent the amounts debited and credited to the account beinganalyzed. One such bar representation is the bar representation 1204.Further, each bar representation includes a representation of a portionof the debited or credited amount that is associated with an identifiedaccount. These identified accounts may include a variety of accounts,such as checking accounts in general, one or more specific checkingaccounts or accounts that are intimately associated with the accountbeing analyzed. In the example shown, the bar representation 1204includes a black line that represents a debited amount that isassociated with one or more intimate accounts. In particular, the blackline represents $145 that was deposited on May 8^(th) via checks drawnon a checking account that is intimately related to the account beinganalyzed.

According to various examples, the Transaction component 1200 includes anumber of parameters for configuring the visualizations displayed. Forinstance, in some examples, the Transactions component 1200 includes afiltering component 1206 that toggles display of information within theTransaction component 1206. In these examples, the types ofvisualizations that may be toggled on or off by the filtering component1206 include representations of to specific transaction types, such asdebits, credits, check deposits and point of sale transactions,representations of particular balance types, such as ledger balance,available balance and collected balance, and trend lines that representaverage credit amount over time, average debit about over time andminimums and maximums within the period of time presented. The period oftime presented by the Transactions component 1200 is represented andcontrolled by a specialized timeline control component 1202 thatfunctions in accord with the timeline control component 1002 describeabove with regard to FIG. 10. Thus, the Transaction component 1200allows a user to modify the components displayed during the course ofany analysis performed.

As depicted in FIG. 12, the Transactions component 1200 includes severalcontext layers that may be shown based on the reason codes included in afraud alert. In the example shown, the Transactions component 1200includes a stacked bar chart that is segmented by intimate andnon-intimate transactions. As shown, these bar chart components indicatea cyclical flow of money between intimate accounts which is thecharacteristic of kiting fraud.

Having thus described several aspects of at least one example, it is tobe appreciated that various alterations, modifications, and improvementswill readily occur to those skilled in the art. For instance, while thebulk of the specification discusses detection of check fraud, examplesdisclosed herein may also be used in other contexts such as to detectother categories of fraud within industries other than the financialindustry, such as the healthcare industry. Such alterations,modifications, and improvements are intended to be part of thisdisclosure, and are intended to be within the scope of the examplesdiscussed herein. Accordingly, the foregoing description and drawingsare by way of example only.

What is claimed is:
 1. A computer system for detecting fraudulentactivity comprising: a memory storing data describing a suspect activityincluding a plurality of attributes and a plurality of authenticactivities including a plurality of authentic attribute values, eachattribute of the plurality of attributes comprising an actual value andbeing associated with an expected value, and each of the plurality ofauthentic activities sharing at least one common characteristic with thesuspect activity, the plurality of authentic attribute values having astandard deviation; and an interface coupled to the memory to: receive,from an analytics engine, a fraud alert comprising an indication of thesuspect activity; determine at least one reason code, at least in part,based on parsing the fraud alert; correlate, using a data structure, theat least one reason code with at least one user interface component;select the at least one user interface component based on the fraudalert and the correlating of the at least one reason code; and present arepresentation of differences using the at least one selected userinterface component, the representation comprising a plurality of axes,each axis indicating a set of potential values for a difference betweenthe actual value of, and the expected value associated with, eachattribute of the plurality of attributes of the suspect activity,wherein the representation of differences includes at least onegeometric shape that represents a set of reference values, the at leastone geometric shape including a plurality of concentric circles, andwherein each of the plurality of concentric circles has a center, acircumference and a radius with a distance indicating that a valuerepresented by the center differs from a value represented by any pointon the circumference by a multiple of the standard deviation.
 2. Thesystem according to claim 1, wherein the at least one geometric shapeincludes a circle.
 3. The system according to claim 1, wherein the atleast one geometric shape includes a three dimensional shape.
 4. Thesystem according to claim 1, wherein the interface is further configuredto present a representation using the at least one selected userinterface component of at least one authentic activity that shares acommon characteristic with the suspect activity.
 5. The system accordingto claim 1, wherein the data describing the suspect activity includesinformation describing presentation of a check.
 6. The system accordingto claim 5, wherein the plurality of axes includes a first axis and asecond axis, the first axis indicating a set of potential values for aserial number of the check, and the second axis indicating a set ofpotential values for the amount of the check.
 7. The system according toclaim 6, wherein the set of potential values on each axis indicatestandard deviations of the expected value of each attribute.
 8. Thesystem according to claim 7, wherein the standard deviations of theexpected value of each attribute are calculated based on authenticchecks associated with the account.
 9. A computer implemented method fordetecting fraudulent activity, the method comprising: storing, using aprocessor, data describing a suspect activity in a memory, the suspectactivity including a plurality of attributes, each attribute of theplurality of attributes including an actual value and being associatedwith an expected value; storing, using the processor, data describing aplurality of authentic activities including a plurality of authenticattribute values, each of the plurality of authentic activities sharingat least one common characteristic with the suspect activity, theplurality of authentic attribute values having a standard deviation;receiving, from an analytics engine, a fraud alert comprising anindication of the suspect activity; determine at least one reason code,at least in part, based on parsing the fraud alert; correlating, using adata structure, the at least one reason code with at least one userinterface component; selecting at least one user interface componentbased on the fraud alert and the correlating of the at least one reasoncode; and presenting a representation of differences using the at leastone selected user interface component, the representation comprising aplurality of axes, each axis indicating a set of potential values for adifference between the actual value of, and the expected valueassociated with, each attribute of the plurality of attributes of thesuspect activity, wherein presenting the representation of differencesusing the at least one selected user interface component includespresenting at least one geometric shape that represents at least one setof reference values, and wherein the at least one geometric shapeincludes presenting a plurality of concentric circles, each of theplurality of concentric circles having a center, a circumference and aradius with a distance indicating that value represented by the centerof the circle differs from a value represented by any point on thecircumference by a multiple of the standard deviation.
 10. The methodaccording to claim 9, wherein presenting the at least one geometricshape includes presenting a circle.
 11. The method according to claim 9,wherein presenting the at least one geometric shape includes presentinga three dimensional shape.
 12. The method according to claim 9, furthercomprising presenting a representation using the at least one selecteduser interface component of at least one authentic activity that sharesa common characteristic with the suspect activity.
 13. The methodaccording to claim 9, wherein storing the data describing the suspectactivity includes storing information describing presentation of acheck.
 14. A non-transitory computer readable medium having instructionsstored thereon that, when executed by at least one processor, instructthe at least one processor to perform a method for detecting potentiallyfraudulent activity, the method comprising: storing data describing asuspect activity, the suspect activity including a plurality ofattributes, each attribute of the plurality of attributes including anactual value and being associated with an expected value; storing datadescribing a plurality of authentic activities including a plurality ofauthentic attribute values, each of the plurality of authenticactivities sharing at least one common characteristic with the suspectactivity, the plurality of authentic attribute values having a standarddeviation; receiving, from an analytics engine, a fraud alert comprisingan indication of the suspect activity; determining at least one reasoncode, at least in part, based on parsing the fraud alert; correlating,using a data structure, the at least one reason code with at least oneuser interface component in association with presentation of the fraudalert; selecting at least one user interface component based on thefraud alert and the correlating of the at least one reason code; andpresenting a representation of differences using the at least oneselected user interface component, the representation including aplurality of axes, each axis indicating a set of values for a differencebetween the actual value of, and the expected value associated with,each attribute of the plurality of attributes of the suspect activity,the representation of differences including at least one geometric shapethat represents at least one set of reference values, and wherein the atleast one geometric shape comprises a plurality of concentric circles,each of the plurality of concentric circles having a center, acircumference and a radius with a distance indicating that a valuerepresented by the center of the circle differs from a value representedby any point on the circumference by a multiple of the standarddeviation.